SPRS Guide: DoD Supplier Performance Risk System Scoring Explained

We regularly work with defense contractors who are surprised to learn that their SPRS score is visible to contracting officers and can influence contract award decisions. SPRS is not just a compliance checkbox — it is a competitive factor in DoD procurement, and organizations with low scores are increasingly finding themselves at a disadvantage.

The Supplier Performance Risk System (SPRS) is the Department of Defense's centralized repository for contractor cybersecurity self-assessment results. Every defense contractor subject to DFARS clause 252.204-7012 must conduct a self-assessment of their implementation of NIST 800-171 security controls and submit the resulting score to SPRS. Contracting officers access this system to verify that contractors meet minimum cybersecurity requirements before awarding contracts.

This guide explains the SPRS scoring methodology, the self-assessment process, what the submission includes, how contracting officers use the scores, and practical strategies for improving your score.

What Is SPRS?

SPRS is a web-based application maintained by the Defense Logistics Agency (DLA) that serves as the DoD's supplier risk management platform. While SPRS tracks various types of supplier performance data (delivery, quality, business systems), the cybersecurity component — specifically the NIST 800-171 self-assessment score — has become its most prominent function for the defense industrial base.

The cybersecurity scoring requirement was established by DFARS Interim Rule (September 2020), which added clauses 252.204-7019 (requiring self-assessment) and 252.204-7020 (requiring SPRS submission and granting DoD access for assessment verification). Together with the existing 252.204-7012 clause, these requirements create a framework where contractors must:

1. Implement NIST 800-171 controls for systems handling CUI
2. Conduct a self-assessment against all 110 controls
3. Calculate a numerical score
4. Submit the score and assessment details to SPRS
5. Make the assessment available to DoD upon request

SPRS Scoring Methodology

The SPRS scoring system assigns a weighted value to each of the 110 NIST 800-171 controls. The maximum score is 110 (all controls fully implemented), and the minimum possible score is -203 (no controls implemented).

How Scores Are Calculated

The scoring methodology follows the DoD Assessment Methodology published in NIST SP 800-171A and the DoD Assessment Methodology Version 1.2.1:

1. Start with 110 — The maximum score assumes all controls are fully implemented
2. Subtract for unmet controls — Each control that is not fully implemented has its weighted value subtracted from 110
3. Weighted values vary — Not all controls are weighted equally. Critical controls carry higher values (up to 5 points), while less critical controls may carry only 1 point
4. Binary assessment — Each control is either fully implemented (MET) or not (NOT MET). There is no partial credit

Control Weighting

Controls are weighted based on their security significance. The weighting reflects how critical each control is to protecting CUI:

Weight	Number of Controls	Examples
5 points	~20 controls	Multi-factor authentication, access control for CUI, audit logging, incident response
3 points	~40 controls	Session termination, configuration management, vulnerability scanning
1 point	~50 controls	Security awareness training frequency, visitor records, physical access logs

The exact weighting for each control is defined in the DoD Assessment Methodology. The high-weighted controls (5 points each) represent the security requirements that, if unmet, create the most significant risk to CUI protection.

Score Examples

Scenario	Score	Interpretation
All 110 controls met	110	Full compliance — best possible position
5 high-weight controls unmet (5 pts each)	85	Significant gaps in critical controls
10 medium-weight controls unmet (3 pts each)	80	Multiple moderate gaps
20 low-weight controls unmet (1 pt each)	90	Numerous minor gaps
Mix of 10 high + 15 medium + 20 low unmet	25	Substantial compliance gaps
Most controls unmet	Negative	Fundamental compliance deficiencies

The Significance of Negative Scores

A negative SPRS score is not uncommon for organizations early in their compliance journey. If an organization has not implemented any formal security controls aligned to NIST 800-171, the cumulative weight of all 110 controls being NOT MET results in a score of -203. In our experience, organizations typically start between -100 and 0 when they have basic security practices in place but have not formally aligned them to NIST 800-171 requirements.

Conducting the Self-Assessment

Assessment Types

The DoD recognizes three levels of NIST 800-171 assessment, each with increasing rigor:

Assessment Level	Who Conducts	Confidence Level	When Used
Basic	Contractor self-assessment	Low	Minimum requirement for DFARS compliance
Medium	DoD assessor reviews documentation	Medium	DoD may conduct for verification
High	DoD assessor reviews documentation and conducts interviews/testing	High	CMMC Level 2 assessment (by C3PAO) or DoD-initiated assessment

For SPRS submission purposes, the Basic (self-assessment) level is the minimum requirement. However, organizations should conduct their self-assessment rigorously because the DoD reserves the right to conduct Medium or High assessments to verify the self-reported score.

Self-Assessment Process

Step 1: Define the Assessment Scope

Identify the information systems that process, store, or transmit CUI. The assessment covers every component within the system boundary as defined in your System Security Plan (SSP).

Step 2: Review Each Control

For each of the 110 NIST 800-171 controls, determine whether the control is:

• MET — The control is fully implemented as described in the SSP
• NOT MET — The control is not implemented, partially implemented, or implemented differently than required

There is no "partially met" status. If a control requires MFA for all remote access and you have MFA on VPN but not on cloud applications, the control is NOT MET.

Step 3: Calculate the Score

For each NOT MET control, subtract its weighted value from 110. The result is your SPRS score.

Step 4: Document Findings

For each NOT MET control, document:

• The specific gap or deficiency
• Whether a POA&M exists to address the gap
• The target remediation date
• The resources required for remediation

Step 5: Prepare Supporting Documentation

The self-assessment should be supported by:

• A current System Security Plan (SSP) describing control implementations
• A Plan of Action and Milestones (POA&M) for unmet controls
• An assessment report documenting the methodology and findings

For detailed guidance on NIST 800-171 controls, see our NIST 800-171 compliance guide.

Submitting to SPRS

Access Requirements

SPRS is accessed through the DoD's Procurement Integrated Enterprise Environment (PIEE) at https://piee.eb.mil. To submit scores, you need:

• A PIEE account with the appropriate role (SPRS Cyber Vendor role)
• A valid CAGE code for your organization
• A current SAM.gov registration

Required Submission Fields

The SPRS submission includes the following information:

Field	Description
CAGE code	Your Commercial and Government Entity code
Assessment date	Date the self-assessment was completed
Assessment scope	Description of the systems covered by the assessment
Assessment type	Basic, Medium, or High
Score	Your calculated NIST 800-171 score (-203 to 110)
Date score was assigned	When the score was formally determined
SSP name and date	Reference to the System Security Plan
POA&M status	Whether a POA&M exists and its date
Plan to achieve 110	If score is below 110, description of remediation plan
Date to achieve 110	Target date for achieving full compliance

Submission Timeline

• Initial submission — Required before contract award for contracts containing DFARS 252.204-7019
• Updates — Should be submitted when your score changes (either improvement from remediation or degradation from new findings)
• Currency — Assessments must be current within three years, though annual updates are best practice
• Post-remediation — When POA&M items are closed and controls move to MET status, submit an updated score

How Contracting Officers Use SPRS Scores

Understanding how contracting officers interpret SPRS scores helps prioritize your remediation efforts.

During Source Selection

Contracting officers review SPRS scores as part of the responsibility determination for contractors bidding on CUI-handling contracts. While there is no publicly defined minimum passing score, the practical implications are:

• Score of 110 — Demonstrates full compliance, strongest competitive position
• High score with POA&M — Acceptable when the POA&M shows a credible plan to reach 110 within a reasonable timeframe
• Low score with aggressive POA&M — May be acceptable for some contracts but creates risk of contracting officer determining the contractor is not responsible
• Very low or negative score — Significant risk of adverse responsibility determination, particularly for contracts involving sensitive CUI
• No score submitted — Non-compliant with DFARS requirements, likely disqualifying

During Contract Performance

SPRS scores are not only relevant at contract award. Contracting officers may periodically review scores during contract performance and:

• Request updated assessments if scores are stale
• Factor scores into past performance evaluations
• Require remediation plans for contractors whose scores deteriorate
• In extreme cases, consider contract modifications or termination for persistent non-compliance

Competitive Implications

In competitive procurements, SPRS scores increasingly function as a differentiator. When two contractors offer similar technical solutions at comparable prices, the contractor with a higher SPRS score demonstrates lower cybersecurity risk to the government. What we tell clients: treat your SPRS score as a competitive metric, not just a compliance requirement.

Strategies for Improving Your SPRS Score

Prioritize High-Weight Controls

Since controls are weighted differently, focusing on high-weight (5-point) controls delivers the fastest score improvement. Common high-weight controls that organizations can often implement relatively quickly include:

• Multi-factor authentication (IA.L2-3.5.3) — Deploy MFA for all remote access and privileged accounts
• Audit logging (AU.L2-3.3.1) — Enable and centralize audit logs for systems handling CUI
• Access control for CUI (AC.L2-3.1.3) — Implement CUI access restrictions and flow controls
• Incident response (IR.L2-3.6.1) — Establish a documented incident response capability

Address Quick Wins

Some controls require minimal technical implementation and primarily need documentation:

• Policy documentation — Many controls are partially satisfied by having documented policies
• Security awareness training — Deploy a training program to satisfy AT controls
• Role-based access — Review and document access assignments to satisfy AC controls
• Configuration baselines — Document your standard configurations to satisfy CM controls

Build a Realistic POA&M

For controls that cannot be implemented immediately, create a Plan of Action and Milestones that documents:

• Each unmet control with its weighted value
• Specific remediation actions required
• Resource requirements (budget, staff, tools)
• Realistic target completion dates
• Milestone checkpoints along the way

Monitor and Update Regularly

Your SPRS score should improve over time as you close POA&M items. Establish a cadence:

• Monthly: Review POA&M progress and close completed items
• Quarterly: Reassess controls near the MET/NOT MET boundary
• Annually: Conduct a full reassessment and submit updated score
• After major changes: Reassess whenever significant system changes occur

SPRS and CMMC: How They Relate

SPRS and CMMC address the same underlying requirement — NIST 800-171 compliance — but through different mechanisms:

Aspect	SPRS	CMMC Level 2
Assessment type	Self-assessment (Basic)	Third-party assessment (C3PAO)
Scoring	Numerical score (-203 to 110)	Pass/Fail with conditional status
Verification	DoD may verify; honor system by default	Independent assessor verification required
Timeline	Required now	Phased rollout through 2028
Consequence of low score	Competitive disadvantage, potential non-responsibility	Cannot receive CMMC certification

As CMMC rolls out, SPRS self-assessments will continue to be required alongside CMMC certifications. Organizations that have been diligently improving their SPRS scores will be better positioned for CMMC assessments, since the underlying control requirements are identical.

For a complete understanding of CMMC requirements, see our CMMC requirements guide.

Common SPRS Mistakes

Over-reporting your score. Claiming controls are MET when they are only partially implemented is the most dangerous SPRS mistake. The DoD can conduct verification assessments, and a score that does not withstand scrutiny creates legal risk under the False Claims Act. It is far better to report an accurate low score with a credible remediation plan than an inflated score that cannot be defended.

Assessing the wrong scope. The assessment must cover all systems that handle CUI. Organizations that assess only their primary system while ignoring email, file sharing, or subcontractor data flows will have an inaccurate score and face findings during DoD verification or CMMC assessment.

Treating it as a one-time exercise. SPRS scores should reflect your current security posture. An assessment conducted two years ago that does not account for new systems, retired controls, or changed configurations is unreliable and potentially non-compliant with the three-year currency requirement.

Not linking to POA&M. Every NOT MET control should have a corresponding POA&M entry. A low score without a POA&M tells contracting officers that you have identified gaps but have no plan to address them — which is worse than having the gaps in the first place.

Ignoring subcontractor scores. Prime contractors are increasingly expected to verify that their subcontractors have submitted SPRS scores. If your subcontractors handle CUI and have not submitted to SPRS, that represents a supply chain risk that contracting officers may question.